This is a Linux machine with FTP and Web service enabled, which leak web root directory for FTP configuration mistake. Additionally, it filters out common extensions for PHP, but not all! (I find php5 could be exploited).

After login with www-data user which is a unprivilege user for web manager, I discover a SUID hidden program which allow me to pivot to another normal user markos. Then I follow the instructions on the webpage(/note.txt) to locate a JPG image. Analysis reveal that it contains a hidden pass.txt file using steganography. Unfortunately, I am wrong from the start - the password is actually the image's name. Then I successfully privot to user marta, who leaves hints for us on web page. Finally, I discover a sudo rule which allow me to leverage LOTL(Live on the land) to read arbitrary files. For get a root shell, then I try to read the ssh key and /etc/shadow of system. Luckily, the shadow is here for me. After crack it with john. I successfully privot to another user, there's also a sudo rule for LOTL, but this time, it allow me to spawn a root shell!